Problem solveGet help with specific problems with your technologies, process and projects.

Transport Layer Security encryption: Five steps to get you started

Value-added resellers (VARs) and consultants can provide customers with email security and privacy assurance using the Transport Layer Security encryption and authentication protocol. This tip, reposted courtesy of SearchSecurity.com, explains how to prepare customers for TLS.

Share this item with your network:

By

Al Berg

Published: 03 Nov 2006

Value-added resellers (VARs) and consultants can provide customers with email security and privacy assurance using the Transport Layer Security encryption and authentication protocol. This tip, reposted courtesy of SearchSecurity.com, explains how to prepare customers for TLS.

Although email is an integral part of modern business, it still relies on insecure transport protocols that were designed before anyone could predict how important email would become. However, network administrators can find some security and privacy assurance in the Transport Layer Security (TLS) encryption and authentication protocol.

TLS is a variation of the tried-and-true Secure Sockets Layer (SSL) protocol that we use to protect Web traffic. Using TLS to encrypt communications between two email gateways has a number of security benefits. First, each mail server authenticates to the other, making it harder to send spoofed email. Second, the contents of the emails sent between the two servers are encrypted, protecting them from prying eyes while in transit. Finally, the encryption of the conversation between the two hosts makes it exceedingly difficult for an attacker to tamper with the email's contents. TLS is certainly no panacea, but it can add an additional layer of security to your email infrastructure without too much fuss.

Here are five steps to help you get started:

Understand the limits of TLS when compared to other forms of email encryption (like PGP and S/MIME). TLS protects the connection from your gateway to the first destination gateway. If there are intermediate hops when mail is forwarded from one gateway to another, the protection afforded by TLS is lost after the first hop. For example, TLS is a good choice for two businesses that communicate frequently as long as both gateways communicate directly.

Make sure the organization on the other end of the connection is able and willing to set up TLS. Like many things in life, encryption is no fun alone. If your gateway is configured to use TLS, but the recipient's is not, email traffic to that destination will be transmitted without authentication or encryption.

Get a digital certificate to identify your email server. While you can create your own self-signed certificate, using a cert issued by a trusted organization will make it easier for email partners to trust your server's identity.

Configure your email gateway to support TLS connections with hosts that are TLS capable. This will mean granting the gateway access to your new certificate. If you are using Sendmail, you can find a clear discussion on how to set up the gateway at Sendmail.org. Postfix users can consult Postfix.org and Microsoft Exchange users can find information at Support.Microsoft.com.

Educate your users to recognize the presence or absence of the email header that tells them an email came in over a TLS connection. The following is an example of the received header from a message sent via TLS:

The portion of the header in bold type indicates the message came in with 168 bit DES encryption from a server that presented a valid certificate.

Once you have implemented TLS on your mail server, you can also use it to address other mail-related issues, such as who has permission to relay mail through your server and which mail servers are allowed to connect to yours.

Although TLS is not perfect and it addresses only some of email's security problems, it is a good email security option that is based on non-bleeding edge technology. If your concerns about email transfers fit the point-to-point model that TLS addresses, it can be an excellent way to add security to your email.

About the Author Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (Liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.